|
FDA网络安全eSTAR提交要求和相关高频发补点解析:Risk Management - Assessment of Unresolved Anomalies“威胁建模识别出11条高危攻击路径,SBOM溯源发现7个关键组件存在未修复漏洞——这些必须申报的‘未解决异常’(Unresolved Anomalies),如何向FDA证明其残余风险可控?” 在eSTAR网络安全提交中,基于威胁的风险评估(Threat-based Risk Assessment)与SBOM(软件物料清单)的交叉验证,是界定未解决异常的核心依据。 在eSTAR实践中,该项内容已成为网络安全模块的高频发补点。 eSTAR提交要求: FDA guidance document "Content of Premarket Submissions for Device Software Functions" recommends that device manufacturers provide a list of software anomalies that exist in a product at the time of submission. For each of these anomalies, device manufacturers should conduct an evaluation of the anomaly's impact on the device's safety and effectiveness and consult the referenced guidance document to assess the associated documentation recommended for inclusion in such device's premarket submission. 美国食品药品监督管理局(FDA)发布的指导文件“器械软件功能的上市前提交内容”建议,器械制造商在提交申请时应提供产品在提交时存在的软件异常情况清单。 对于每一种此类异常情况,器械制造商都应评估该异常情况对器械安全性和有效性的影响, 并参考相关指导文件来评估此类器械上市前提交中应包含的相关文件。 Some anomalies discovered during development or testing may have security implications and may also be considered vulnerabilities. As a result, manufacturers should also assess the potential security impacts of anomalies. The assessment should also include consideration of any present Common Weakness Enumeration (CWE) categories (cwe.mitre.org). 在开发或测试过程中发现的一些异常情况可能具有安全影响,并且也可能被视为漏洞。因此,制造商还应评估这些异常情况可能带来的潜在安全影响。 该评估还应包括对任何现有的通用弱点列举(CWE)类别(cwe.mitre.org)的考虑。 指南中对于未解决异常的定义: ① 内部测试的软件缺陷(bugs) ② 未关闭的CVE(公共漏洞) ③ 第三方组件中未修复的已知安全漏洞 ④ 威胁建模过程中发现的弱点未及时处理 此处在提交实务中常见的发补项如下: You provided XXXXXX; however, you did not provide a list of the unresolved anomalies (bugs or defects). When responding, we also recommend utilizing a standardized defect classification system, or taxonomy, for each anomaly, such as ANSI/AAMI SW91’s Classification of defects in health software. Adequate unresolved software anomalies documentation is important to understand the potential impacts of the anomalies on device performance and to demonstrate that appropriate measures have been taken to ensure anomalies will not affect safe and effective use of the device or result in adverse health effects for the patient such as misdiagnosis of disease states in patients, which is a safety concern. Therefore, as recommended in the “Unresolved Software Anomalies” section of FDA’s guidance document “Content of Premarket Submissions for Device Software Functions” (https://www.fda.gov/media/153781/download), please provide: • a description of the anomaly; • identification of how the anomaly was discovered and, where possible, identification of the root cause (s) of the anomaly; • evaluation of the impact of the anomaly on the device’s safety and effectiveness, including operator usage and human factors considerations; • outcome of the evaluation; and • risk-based rationale for not correcting or fixing the anomaly in alignment with your risk management plan or procedure(s). 发补项说明: 没有提供未解决的异常(bug或缺陷)的列表。在做出响应时,我们还建议对每个异常使用标准化的缺陷分类系统或分类法,例如ANSI/AAMI SW91的分类健康软件缺陷。 充分的未解决的软件异常文档对于了解异常对设备性能的潜在影响以及证明已采取适当措施确保异常不会影响设备的安全和有效使用或对患者造成不良健康影响(例如误诊患者的疾病状态) 非常重要,这是一个安全问题因此,根据FDA指导文件“器械软件功能上市前提交内容”(https://www.fda.gov/media/153781/download)中“未解决的软件异常”部分的建议,请提供: 异常的描述; 识别异常是如何发现的,如果可能,识别异常的根本原因; •评估异常对设备安全性和有效性的影响,包括操作员使用和人为因素考虑; •评估结果; •不根据风险管理计划或程序纠正或修复异常的基于风险的理由 发补原因: ① 缺少未解决异常评估报告! ② 如异常已全部解决则需要提供声明文件和证据! 整改措施: ① 提供一份未解决异常清单(Unresolved Anomaly List) ② 每项异常的风险评估分析 ③ 已实施的风险缓解措施或风险接受理由,以及可接受风险的根因分析 ④ 该异常是否会通过版本更新修复(以及相应的时间表) 我们团队深度参与数十个医疗器械FDA申报项目,熟悉最新网络安全指南与eSTAR提交要求,提供:
立即联系:思倍科技汪老师 电话:18128029974 邮箱:haley@sibeiwa.cn 让您的产品少走弯路,加速获批! #医疗器械注册 #FDA咨询 #网络安全合规 |
